Hacking Atmosphere-NX - Custom Firmware in development by SciresM

[Alklas]

hello

regarding the CFW, i don't understand why it would not be possible to have an untethered CFW.
as 'we' have control of the switch at early boot, would not that be possible to act as an officiel firmware update ? boot on fusée gelée, load a payload to remove the fimware encryption controls, update the firmware with our CFW or with a patch allowing dual boot, and have a definitely modified Switch ?

 

[leerpsp]

because this is a tethered cfw for the switch, that means the usb cable will have to be pluged in all the time or after i do the hack i can unplug it just when i restart i have too plug in usb and start all over?

 

[sarkwalvein]

hello

regarding the CFW, i don't understand why it would not be possible to have an untethered CFW.
as 'we' have control of the switch at early boot, would not that be possible to act as an officiel firmware update ? boot on fusée gelée, load a payload to remove the fimware encryption controls, update the firmware with our CFW or with a patch allowing dual boot, and have a definitely modified Switch ?

I am not sure if that is the case, but probably you can't because the normal boot process requires the code to be signed.
You can't patch the bootrom (fortunately as it makes the exploit unpatchable), so you can't patch out the code signature verification under normal boot, but you can still run unsigned code that you send through USB due to a bug in the USB stack inside the bootrom code.

Of course, AFAIK.

--------------------- MERGED ---------------------------

because this is a tethered cfw for the switch, that means the usb cable will have to be pluged in all the time or after i do the hack i can unplug it just when i restart i have too plug in usb and start all over?

The latter.

 

[Alklas]

I am not sure if that is the case, but probably you can't because the normal boot process requires the code to be signed.
You can't patch the bootrom (fortunately as it makes the exploit unpatchable), so you can't patch out the code signature verification under normal boot, but you can still run unsigned code that you send through USB due to a bug in the USB stack inside the bootrom code.

Of course, AFAIK.

--------------------- MERGED ---------------------------


The latter.

thanks for the explanation.

 

[brollikk]

wait... so we are expecting a tethered cfw?

 

[sj33]

wait... so we are expecting a tethered cfw?

The exploit is tethered. The CFW is irrelevant, it uses the same exploit.

 

[P4RI4H]

Soo many people are getting so bent out of shape about a tethered exploit. Yes it is a bit of a PITA to have to be tethered or have to invest in a Raspberry Pi setup, but you just gotta keep in mind that we are in the VERY early stages of this exploit here guys. Chances are a year down the road, there will be updates to this to make it self contained much like b9s or possibly even have keys that would eliminate the need to exploit every boot. Frankly, we should be glad there's such an easy exploit at all, given the XB1 and PS4 scenes, and one that will more on all current hardware regardless of fw version. PS4 anything newer than year old firmware (that is pretty much useless unless you enjoy playing offline or can afford to buy a second rug) has only "private" exploits and the XB1 scene is totally stagnant as they all are too busy drooling over the legit dev mode that from what I've seen, only has sandboxes emulators right now. We're ahead of the game here and for very little effort/cost.

 

[sj33]

Soo many people are getting so bent out of shape about a tethered exploit. Yes it is a bit of a PITA to have to be tethered or have to invest in a Raspberry Pi setup, but you just gotta keep in mind that we are in the VERY early stages of this exploit here guys. Chances are a year down the road, there will be updates to this to make it self contained much like b9s or possibly even have keys that would eliminate the need to exploit every boot. Frankly, we should be glad there's such an easy exploit at all, given the XB1 and PS4 scenes, and one that will more on all current hardware regardless of fw version. PS4 anything newer than year old firmware (that is pretty much useless unless you enjoy playing offline or can afford to buy a second rug) has only "private" exploits and the XB1 scene is totally stagnant as they all are too busy drooling over the legit dev mode that from what I've seen, only has sandboxes emulators right now. We're ahead of the game here and for very little effort/cost.

I'm surprised there's so much complaining - are people really so out of the loop that permenent exploits are expected to be the norm?

The Wii U exploit relied on a web server until Haxchi. So did Vita until Enso. All PS4 exploits do. Hell, iOS jailbreaks have all been semi-untethered for at least 2 years now with no change on the horizon.

People have been spoilt by how convenient the 3DS exploits were (*hax being offline, MSET, Menuhax, A9LH, B9S etc.), but the 3DS hacks were not the norm - they were special.

 

[Reaga]

I'm surprised there's so much complaining - are people really so out of the loop that permenent exploits are expected to be the norm?

The Wii U exploit relied on a web server until Haxchi. So did Vita until Enso. All PS4 exploits do. Hell, iOS jailbreaks have all been semi-untethered for at least 2 years now with no change on the horizon.

People have been spoilt by how convenient the 3DS exploits were (*hax being offline, MSET, Menuhax, A9LH, B9S etc.), but the 3DS hacks were not the norm - they were special.

It doesn't even sound that bad anyway. It sounds like it only really requires the tethered exploit at boot. I doubt sleep-mode will reset the exploit, so just keep your switch near a power-source when you're not on the go and you should be fine.

 

[Draxzelex]

People have been spoilt by how convenient the 3DS exploits were (*hax being offline, MSET, Menuhax, A9LH, B9S etc.), but the 3DS hacks were not the norm - they were special.

*gets PTSD flashbacks to beginning of 3DS hacking scene*
<-Current Gateway user

 

[Red1Reaper]

As far as i know, once the CFW is finished there will be no need to do tethered, i mean, the security of the switch is totally compromised whit this, soo i dont see anything that can stop the cfw from signing itself, installing itself in the nand and after that booting itself, that said, im not an expert, soo i can be wrong.

EDIT: Yeah i think i was wrong

 

[sarkwalvein]

i dont see anything that can stop the cfw from signing itself

Perhaps not having the private key?

 

[sj33]

As far as i know, once the CFW is finished there will be no need to do tethered, i mean, the security of the switch is totally compromised whit this, soo i dont see anything that can stop the cfw from signing itself, installing itself in the nand and after that booting itself, that said, im not an expert, soo i can be wrong.

These kinds of presumptuous posts just add to the confusion.

 

[TR_mahmutpek]

Perhaps not having the private key?

Dont we have all (master) keys?

 

[TerraPhantm]

Dont we have all (master) keys?

Read up on how asymmetric encryption works

 

[TR_mahmutpek]

Read up on how asymmetric encryption works

Well, lack of knowledge..

 

[P4RI4H]

Perhaps not having the private key?

...Yet.

Things are bound to only get better from here on out.

 

[sarkwalvein]

...Yet.

Things are bound to only get better from here on out.

Unless you send the Ninja team to Nintendo HQ, I don't see how you will get it.
As you know, the Switch doesn't hold it, it doesn't know it, it is never used, not when you read a game, not when you go into eShop... never.
For verifying a signature you only need the public key, that is on the Switch, there is no reason for Nintendo to ever give anyone the private key, it doesn't get outside its HQ.

 

[P4RI4H]

Unless you send the Ninja team to Nintendo HQ, I don't see how you will get it.
As you know, the Switch doesn't hold it, it doesn't know it, it is never used, not when you read a game, not when you go into eShop... never.
For verifying a signature you only need the public key, that is on the Switch, there is no reason for Nintendo to ever give anyone the private key, it doesn't get outside its HQ.

Preeeeettty suuure this has always been the case for every company, rever, including when lvl0 private keys were leaked for the PS3. It may not be for a long time, maybe decades, but I'm confident someone out there will release these. Disgruntled employee, hackers, changes to privacy laws, old recycled Nintendo PC dug out of a dumpster. Never can know my dude.

 

[TerraPhantm]

...Yet.

Things are bound to only get better from here on out.

Even if you used every computer on the planet, it would take a few million years to factor that key. Only way around it is if they made a mistake in either key generation or signature verification (like with B9S)

Preeeeettty suuure this has always been the case for every company, rever, including when lvl0 private keys were leaked for the PS3. It may not be for a long time, maybe decades, but I'm confident someone out there will release these. Disgruntled employee, hackers, changes to privacy laws, old recycled Nintendo PC dug out of a dumpster. Never can know my dude.

As far as I know, the PS3 key was able to be calculated because Sony made a mistake and didn't randomize properly.